Code-scanning issues and dependencies (including license) information is available within the repo API in github. This action is written to demonstrate the use of xlsx package and github api to generate a fast excel report (alerts.xlsx) using this API.

If you would like to explore the these APIs using postman, plese see the postman collection folder for details.

dependencies-list sheet

code-scanning-issues sheet

dependencies-license sheet

code-scanning-pivot sheet

secret-scanning-alerts sheet

software-composition-analysis sheet

Using to the Action

The action require a github personal access token passed in the workflow file. The correct way to do this is to use repository secrets.

The action creates alert.xlsx file in the workspace, which needs to be uploaded using the upload-artifact action.

  # Generate issues and save results
  - uses: amitgupta7/[email protected]
    with:
      token: ${{ secrets.GITHUB_TOKEN }}
      # optionally define repo (default is calling repo)
      # repo: 'dsp-testing/ghas-intro-6'

  - uses: actions/[email protected]
    with:
      name: results
      path: alerts.xlsx          

Code in Main

First, you'll need to have a reasonably modern version of node handy. This won't work with versions older than 9, for instance.

Install the dependencies

$ npm install

Build the typescript and package it for distribution

$ npm run build && npm run package

Run the tests by setting the INPUT_TOKEN and GITHUB_REPOSITORY environment variables. This should create an alerts.xlsx report file in the project root.

$ export INPUT_TOKEN=ghp_GITHUB_TOKEN_HERE
$ export GITHUB_REPOSITORY=amitgupta7/WebGoat
$ npm test

> [email protected] test
> jest

  console.log
    ::error::No login found, using GITHUB_REPOSITORY
    ::debug::CodeQL[293]:       open       java/random-used-once       warning
    ::debug::CodeQL[292]:       open       java/potentially-weak-cryptographic-algorithm       warning
    ::debug::CodeQL[291]:       open       java/unsafe-get-resource       warning
    ::debug::CodeQL[5]:       open       js/html-constructed-from-input       error
    ::debug::CodeQL[4]:       open       js/html-constructed-from-input       error
    ::debug::CodeQL[3]:       open       js/xss-through-dom       warning
    ::debug::CodeQL[2]:       open       js/incomplete-sanitization       warning
    ::debug::CodeQL[1]:       open       js/incomplete-sanitization       warning

      at Object.<anonymous> (__tests__/main.test.ts:13:11)

 PASS  __tests__/main.test.ts (6.968 s)
  ✓ test runs (6132 ms)

Test Suites: 1 passed, 1 total
Tests:       1 passed, 1 total
Snapshots:   0 total
Time:        7.04 s
Ran all test suites.

Publish to a distribution branch

Actions are run from Public GitHub repos so we will checkin the packed dist folder.

Then run ncc and push the results:

$ npm run package
$ git add dist
$ git commit -a -m "prod dependencies"
$ git push origin releases/v1

Note: We recommend using the --license option for ncc, which will create a license file for all of the production node modules used in your project.

Your action is now published! 🚀

See the versioning documentation